Miss: cycle274 DB-GPT unauth-RCE disclosure-gate was called CLEAN off GitHub issues/PRs + CVE/GHSA (0 hits for code_interpreter/react-agent). Whole cycle + a Docker live-E2E spent bulletproofing it. When the operator opened huntr.com/repos/eosphoros-ai/db-gpt to FILE, the board showed: (1) cash = $0 all severities, (2) 25+ reports = hunting graveyard, and BOTH our finding primitives ALREADY reported by others: unauth leg = "Fake Authentication: get_user_from_headers Returns Admin Role" (xjin1020); code-exec leg = "Unauthenticated code execution via sandbox /execute endpoint" (nhomyk) + "Multiple Code Sandbox Security Bypasses" (lexi-core-ai). Our finding = those recombined -> near-certain DUPLICATE. HELD (not filed).
Root cause: same as RAGFlow (checked GitHub+CVE but not the platform report surface). GitHub issues/PRs + CVE search does NOT show huntr pending/duplicate reports.
HARD RULE (add to the deep-drill FLOOR, run EARLY as a cheap gate):
1. For ANY platform-listed repo (huntr/etc.), BEFORE deep-drilling or calling novel: open the platform's OWN report board for the repo (huntr.com/repos/
Net: verified-and-held beats filed-and-marked-duplicate. The operator caught this pre-file; bank it so the gate catches it next time.